{"id":14936,"date":"2025-10-11T00:03:32","date_gmt":"2025-10-11T00:03:32","guid":{"rendered":"https:\/\/newestek.com\/?p=14936"},"modified":"2025-10-11T00:03:32","modified_gmt":"2025-10-11T00:03:32","slug":"fbi-seizes-breachforums-servers-as-threatened-salesforce-data-release-deadline-approaches","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14936","title":{"rendered":"FBI seizes BreachForums servers as threatened Salesforce data release deadline approaches"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Only days ago, a message on the BreachForums extortion site threatened to leak one billion records allegedly stolen from the Salesforce systems of 39 of the largest companies in the world, including Disney, Toyota, Adidas, McDonalds, IKEA, and Home Depot.<\/p>\n

It was a threat that the criminals behind the site, a super-alliance of the ShinyHunters, Scattered Spider, and LAPSUS$ ransomware groups known as Scattered Lapsus$ Hunters, vowed to carry out via its dark web and Clearnet sites if Salesforce did not pay a ransom by 11.59 p.m. EST on October 10.<\/p>\n

\u201cIf Salesforce does not engage with us to resolve this, we will completely target each and every indiviual [sic] customers of theirs listed below, failure to comply will result in massive consequences,\u201d said a message on the original leak site.<\/p>\n

\u201cIf you are listed below we advise you to take every action to protect yourselves and reach out to us to resolve this. Do not be mistaken that your SaaS provider will protect all of you, they won\u2019t.\u201d<\/p>\n

However, on October 9, the BreachForums dark net and Clearnet sites displayed a very different message. \u201cThis domain has been seized,\u201d announced a domain takedown image, an action coordinated jointly by the US Department of Justice (DoJ), the FBI, France\u2019s BL2C cybercrime unit, and the Paris Prosecutor\u2019s Office.<\/p>\n

Normally, more detail on a police action of this magnitude would be published by the FBI itself, but the agency\u2019s website is currently not being updated due to the US government shutdown.<\/p>\n

What seems clear is that the bust is a significant one, disrupting not only the BreachForums sites but the back-end infrastructure, database archives, and escrow payment data dating back to 2023.<\/p>\n

\u201cBreachForums was seized by the FBI and international partners today. All our domains were taken from us by the US Government. The era of forums is over,\u201d the Scattered Lapsus$ Hunters group said in a PGP-encrypted statement<\/a> on Telegram.<\/p>\n

Now for the bad news: as of October 9, the wider Salesforce ransom campaign is still active. Although the primary BreachForums sites have been taken over, a separate dark web data leak site remains operational, and the group is still threatening to release the Salesforce data records as originally planned, CSO Online has confirmed.<\/p>\n

Fall and rise<\/h2>\n

This is not the first time BreachForums has been on the wrong end of police action.<\/p>\n

Domain seizure number one happened in June 2023, three months after the alleged BreachForums founder Conor Fitzpatrick was arrested in New York<\/a>. The site was reinstated by ShinyHunters, only to be downed for the second time<\/a> in May 2024. More arrests followed in 2025<\/a>. By August, reports of Salesforce customers being targeted by ShinyHunters<\/a> started to emerge, culminating in the latest action.<\/p>\n

Everything hinges on whether the group really has the data as claimed. There is no way to confirm this \u2014 ransomware groups have a record of exaggerating their crimes for the sake of publicity \u2014 but no way to refute it either.<\/p>\n

\u201cAt this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology,\u201d a Salesforce spokesperson told Reuters<\/a> earlier this month.<\/p>\n

The significance of the takedown is hard to assess beyond its symbolic value, but should become clearer in the weeks ahead, suggested experts.<\/p>\n

\u201cDomain seizures often provide server logs, user data, and cryptocurrency trails that can help fuel indictments and asset freezes. Today\u2019s seizure also has the potential to disrupt ransomware supply chains for future operations,\u201d said Zbyn\u011bk Sopuch<\/a>, CTO of security vendor Safetica Technologies.<\/p>\n

Nevertheless, one takedown was unlikely to reduce the wider threat of ransomware attacks. \u201cCSOs should consider today\u2019s seizure a 30-day grace period to ramp up dark web monitoring tools, audit Salesforce configurations, and drill their incident response playbooks,\u201d he said.<\/p>\n

Targeting SaaS<\/h2>\n

Rik Ferguson<\/a>, VP security intelligence at Forescout, agreed that any disruption was likely to be a temporary setback.<\/p>\n

\u201cIt burns infrastructure, yields intelligence, and sows distrust among criminals. But the gang\u2019s dark-web leak site is still up, and they explicitly say the campaign continues,\u201d he told CSO Online by email.<\/p>\n

\u201cThat tells you everything about the current model: forum-free, portable extortion that pivots across Telegram, throwaway domains, and bespoke leak sites. Taking the sign down doesn\u2019t close the business.\u201d<\/p>\n

According to Ferguson, \u201cSaaS is the new blast radius,\u201d often compromised by abusing the OAuth and app-to-app trust on which these interconnected services depend. This is an attack surface that ransomware attackers will continue to target.<\/p>\n

How should enterprises secure themselves? \u201cTurn on OAuth app governance, least privilege scopes, token lifetime limits, and automated revocation on anomaly detection, kill any standing trust, rotate keys and tokens, shorten session lifetimes, and require step-up auth for high-risk actions,\u201d advised Ferguson.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Only days ago, a message on the BreachForums extortion site threatened to leak one billion records allegedly stolen from the Salesforce systems of 39 of the largest companies in the world, including Disney, Toyota, Adidas, McDonalds, IKEA, and Home Depot. It was a threat that the criminals behind the site, a super-alliance of the ShinyHunters, Scattered Spider, and LAPSUS$ ransomware groups known as Scattered Lapsus$… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14936","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14936","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14936"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14936\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14936"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14936"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14936"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}